diff --git a/README.md b/README.md index 4d1f360cd..95de9dd75 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ The LDS/CDS/EDS/RDS APIs are now frozen and will maintain backwards compatibility according to standard proto rules (e.g. new fields will not reuse tags, field types will not change, fields will not be renumbered, etc.). -The remainder of the API (ADS, HDS, RLS, filter fragments other than HTTP +The remainder of the API (ADS, HDS, RLS, SDS, filter fragments other than HTTP connection manager, the bootstrap proto) are draft work-in-progress. Input is welcome via issue filing. Small, localized PRs are also welcome, but any major changes or suggestions should be coordinated in a tracking issue with the @@ -74,7 +74,7 @@ closed issue should also be included. this repository. * REST-JSON API equivalents will be provided for the basic singleton xDS - subscription services CDS/EDS/LDS/EDS. Advanced APIs such as HDS, ADS and + subscription services CDS/EDS/LDS/RDS/SDS. Advanced APIs such as HDS, ADS and EDS multi-dimensional LB will be gRPC only. This avoids having to map complicated bidirectional stream semantics onto REST. @@ -110,6 +110,7 @@ Unless otherwise stated, the APIs with the same names as v1 APIs have a similar * [Listener Discovery Service (LDS)](api/lds.proto). This new API supports dynamic discovery of the listener configuration (which ports to bind to, TLS details, filter chains, etc.). * [Rate Limit Service (RLS)](api/rls.proto) * [Route Discovery Service (RDS)](api/rds.proto). +* [Secret Discovery Service (SDS)](api/sds.proto). In addition to the above APIs, an aggregation API will be provided to allow for fine grained control over the sequencing of API updates across discovery @@ -166,6 +167,6 @@ repeated below and some new v2 terms introduced. * Upstream: An upstream host receives connections and requests from Envoy and returns responses. -* xDS: CDS/EDS/HDS/LDS/RLS/RDS APIs. +* xDS: CDS/EDS/HDS/LDS/RLS/RDS/SDS APIs. * Zone: Availability Zone (AZ) in AWS, Zone in GCP. diff --git a/api/BUILD b/api/BUILD index 4cfadb473..c5ca8f869 100644 --- a/api/BUILD +++ b/api/BUILD @@ -22,6 +22,7 @@ api_proto_library( ":discovery", ":cds", ":lds", + ":sds", ], ) @@ -31,11 +32,6 @@ api_proto_library( deps = [":base"], ) -api_proto_library( - name = "tls_context", - srcs = ["tls_context.proto"], -) - api_proto_library( name = "cds", srcs = ["cds.proto"], @@ -46,7 +42,7 @@ api_proto_library( ":discovery", ":health_check", ":protocol", - ":tls_context", + ":sds", ], ) @@ -87,7 +83,7 @@ api_proto_library( ":address", ":base", ":discovery", - ":tls_context", + ":sds", ], ) @@ -111,3 +107,13 @@ api_proto_library( ":discovery", ], ) + +api_proto_library( + name = "sds", + srcs = ["sds.proto"], + has_services = 1, + deps = [ + ":base", + ":discovery", + ], +) diff --git a/api/bootstrap.proto b/api/bootstrap.proto index fb4c73f74..8b9fb7671 100644 --- a/api/bootstrap.proto +++ b/api/bootstrap.proto @@ -11,6 +11,7 @@ import "api/base.proto"; import "api/discovery.proto"; import "api/cds.proto"; import "api/lds.proto"; +import "api/sds.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/struct.proto"; @@ -231,6 +232,7 @@ message Bootstrap { // to know how to speak to the management server. These cluster definitions // may not use EDS (i.e. they should be static IP or DNS-based). repeated Cluster clusters = 2; + repeated Secret secrets = 3; } StaticResources static_resources = 2; diff --git a/api/cds.proto b/api/cds.proto index 1b19268c8..78b77c2e0 100644 --- a/api/cds.proto +++ b/api/cds.proto @@ -7,7 +7,7 @@ import "api/base.proto"; import "api/discovery.proto"; import "api/health_check.proto"; import "api/protocol.proto"; -import "api/tls_context.proto"; +import "api/sds.proto"; import "google/api/annotations.proto"; import "google/protobuf/duration.proto"; diff --git a/api/lds.proto b/api/lds.proto index aa9f71366..eeff7dff2 100644 --- a/api/lds.proto +++ b/api/lds.proto @@ -9,7 +9,7 @@ package envoy.api.v2; import "api/address.proto"; import "api/base.proto"; import "api/discovery.proto"; -import "api/tls_context.proto"; +import "api/sds.proto"; import "google/api/annotations.proto"; import "google/protobuf/struct.proto"; diff --git a/api/tls_context.proto b/api/sds.proto similarity index 77% rename from api/tls_context.proto rename to api/sds.proto index 6926f9781..f4773bea0 100644 --- a/api/tls_context.proto +++ b/api/sds.proto @@ -2,8 +2,26 @@ syntax = "proto3"; package envoy.api.v2; +import "api/base.proto"; +import "api/discovery.proto"; + +import "google/api/annotations.proto"; import "google/protobuf/wrappers.proto"; +service SecretDiscoveryService{ + rpc StreamSecrets(stream DiscoveryRequest) + returns (stream DiscoveryResponse) { + } + + rpc FetchSecrets(DiscoveryRequest) + returns (DiscoveryResponse) { + option (google.api.http) = { + post: "/v2/discovery:secrets" + body: "*" + }; + } +} + message DataSource { oneof specifier { string filename = 1; @@ -74,7 +92,9 @@ message CommonTlsContext { // Multiple TLS certificates can be associated with the same context, // e.g. to allow both RSA and ECDSA certificates [V2-API-DIFF]. + // TLS certificates can be either configured locally or fetched from SDS. repeated TlsCertificate tls_certificates = 2; + repeated SdsSecretConfig sds_secret_configs = 6; // How to validate peer certificates. CertificateValidationContext validation_context = 3; @@ -111,3 +131,19 @@ message DownstreamTlsContext { // If specified, Envoy will reject connections without a valid and matching SNI. google.protobuf.BoolValue require_sni = 3; } + +message SdsSecretConfig { + // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. + // When both name and config are specified, then secret can be fetched and/or reloaded via SDS. + // When only name is specified, then secret will be loaded from static resources [V2-API-DIFF]. + string name = 1; + ConfigSource sds_config = 2; +} + +message Secret { + // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. + string name = 1; + oneof type { + TlsCertificate tls_certificate = 2; + } +}